[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: PackageKit"update" allows downgrade of packages when using the "zypp
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2013-02-25 21:24:01
Message-ID: 512BD671.6080509 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/23/2013 12:34 AM, Marcus Meissner wrote:
> Hi,
>
> On openSUSE we have started to allow local logged in users to install
> online updates (but not install new packages or remove ones), as this
> seems a common and secure operation to us.
> (Also done in light of the Linus Torvalds flame posting.)
>
> PolicyKit rules in PackageKit also allow this in the vanilla version:
> org.freedesktop.packagekit.system-update
> shipping default is "yes" for local logged-in active users.
>
>
> So far we assumed that the update operation only allows upgrading versions.
>
> The enforcement of this rule did not fully work, so at least the "zypp"
> backend of PackageKit allowed downgrade of packages using this call.
> The "update" method also allowed installing non-update resolvables like
> patterns or even new packages.
>
> We have not checked the other backends, they might also be affected.
>
> https://bugzilla.novell.com/show_bug.cgi?id=804983
> https://bugs.freedesktop.org/show_bug.cgi?id=61231
> https://gitorious.org/packagekit/packagekit/commit/d3d14631042237bcfe6fb30a60e59bb6d94af425
>
>
> As the default assumed secure behaviour is violated, this requires a CVE.
>
> Ciao, Marcus
>
Please use CVE-2013-1764 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQIcBAEBAgAGBQJRK9ZxAAoJEBYNRVNeJnmTvgUQAMcAT3QN0a6dDWzK+2Y5pJEG
ozK1TrS2/X9k5MatjGm9zfldI3Dodo8cvn++zHIWn21aRNSmUF+v5x+UNKEX/AoC
fOS8kTRSe0D+KvsaHLGmB8ZwxTl5M2kMx82cky015ZDNB77fPpsaZOCMOEmYSNlU
dt85EZkt6845sz+AEo1DaEnpvbxR3koEnA61unQUtVdbNv6xmh9WuPi7pX7vQ6Mb
UqwWFNaGeqEbiygBc6RnGatcb0iqsH3Bv9huXhHhgT+o/oBoZ9yaFka2hbuSHe6p
uOmtXiAKPItpOObUA3fHTOBXwCzF+QO+qzOzHleQotFfJCwkOHphmeDq08tZLwku
zPG7L4fB/OL6MhwxiO2cBfV3MnmwmR3km7Yv/RpQ/g+IL3DL5cerhujWT0Zn7YTU
kk5zE20baS8K4MFEEdApER3QpgNZZfnxCXRkp1gx058cvzdfrx8f9VOusSS2OLbH
+i65gTYzqhwJJVWJaCsagHh05311KkBdBtdvDhh/2GqRTsIxEKvBFZRsi4tQTc0C
twJpP63Poy2OazO76esQRG8vlt2WGggWA+E87HIp/P8s8Msz0Ezd8kJgwpU3LzXW
2Zy4mQA7dS68j2LaFy8n+nUu9EgolrsO7xSMegm1wYAFtFAEjjsemtGucvQhXR52
gIyQM7ZqELbUrWTZ9TnR
=EYRJ
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic